Data Protection and privacy case-law Case law update (DPO meeting) 1

Transcription

1 Data Protection and privacy case-law Case law update (DPO meeting) 1 1. Judgment of the Court from 1 October 2015 in Case C-201/14 Smaranda Bara and Others v Președintele Casei Naționale de Asigurări de Sănătate and Others transfer of personal data between public administrative bodies and subsequent processing without informing the data subjects Judgment of the Court from 1 October 2105 in Case C-230/14 Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság., on the notion of establishment of the controller, applicable law, competent supervisory authority and power to impose penalties Judgment of the Court from 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner, joined party Digital Rights Ireland Ltd Commission adequacy decision does not prevent a supervisory authority from examining a claim that a third country does not ensure an adequate level of protection + Commission Decision 2000/520 is invalid Judgment of the Court from 16 July 2105 in Case C-615/13, ClientEarth and Pesticide Action Network Europe (PAN Europe) v European Food Safety Authority (EFSA) - right to access to documents of EU institutions, concept or personal data, conditions for transfer of personal data Judgment of the Court from 15 July 2015 in Case T-115/13 Dennekamp v Parliament access to documents relating to the affiliation of MEPs to the additional pension scheme Request for a preliminary ruling from the Raad van State (Netherlands) lodged on 24 April 2015 in Case C-192/15 Rease and Wullems - notion of 'making use of equipment' and scope of powers of the DPA in Directive 95/46/EC Request for a preliminary ruling from the Kammarrätten i Stockholm (Sweden) lodged on 4 May 2015 in Case C-203/15 Tele2 Sverige AB v Post- och telestyrelsen - compatibility of the retention of traffic data with the eprivacy Directive and the Charter Request for a preliminary ruling from the Corte Suprema di Cassazione (Italy) lodged on 23 July 2015 in Case C-398/15 Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v Salvatore Manni - right to erasure - limits on the disclosure of personal data through commercial registers These notes have been prepared for information only by Caroline Callomme and Anna Colaps, stagiaires at the EDPS, and do not necessarily reflect the views of the EDPS. 1

2 1. Judgment of the Court from 1 October 2015 in Case C-201/14 Smaranda Bara and Others v Președintele Casei Naționale de Asigurări de Sănătate and Others transfer of personal data between public administrative bodies and subsequent processing without informing the data subjects, obligations of legal basis and publication Link to the judgment Facts of the case Romanian law allows public bodies to transfer personal data to the health insurance funds for the purpose of determining whether an individual qualifies as an insured person and an internal protocol specifies that this includes income data. The National Tax Administration Agency (ANAF) transferred the applicants' income data to the National Health Insurance Fund (CNAS). The CNAS relied on that data to require payment of arrears of contributions to the health insurance regime. The applicants brought an appeal before the Court of Appeal in which they challenged the lawfulness of the transfer of tax data relating to their income in light of Directive 95/46. In that context, the national court filed a request for a preliminary ruling to establish whether the processing required prior information to be given to the data subjects and whether the transfer of data on the basis of the Protocol is contrary to Directive 95/46. Main findings of the Court The Court summarized the question referred as follows: the referring court asks, in essence, whether Articles 10, 11 and 13 of Directive 95/46 must be interpreted as precluding national measures, such as those at issue in the main proceedings, which allow a public administrative body in a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects being informed of that transfer and processing (para. 28). Applicability of the Directive 2

3 The Court first established that: (1) the tax data transferred to the CNAS by the ANAF constitute personal data within the meaning of Article 2(a) of the directive because they are information relating to an identified or identifiable natural person ; (2) the transfer of the data and their subsequent processing constitute processing of personal data within the meaning of Article 2(b) of the directive (para. 29). The transfer does not comply with Article 10 Member States intervening argued that there is no need to provide information on transfers between public authorities The Court explained that the requirement of fair processing found in Article 6 of the directive requires a public administrative body to inform the data subjects of the transfer of those data to another public administrative body for the purpose of their processing by the latter in its capacity as recipient of those data (para. 34). In light of the facts of the case, the Court noted that the applicants were not informed of the transfer (para. 35). The Court acknowledged that the applicable Romanian law allows public bodies to transfer the data necessary to certify that the person concerned qualifies as an insured person to the health insurance funds. Nonetheless, the Court noted that a taxable income is not required to qualify as insured therefore it considered that income data is not covered by the relevant legal provision (para. 37). For this reason, the Court held that the national provision does not constitute prior information within the meaning of Article 10, hence, the transfer does not comply with Article 10 of the directive (para. 38). The Court further examined whether Article 13 of the directive can be relied upon by the Member State to derogate from Article 10. o (1) The Court restated that the income data is not necessary to determine whether a person is insured. o (2) The definition of the data which can be transferred and the arrangements for transferring it are laid down in a Protocol established between the public bodies, which is not legally binding nor published officially (para. 40). The Court therefore concluded that the conditions laid down in Article 13 are not fulfilled (para. 41). The processing does not comply with Article 11 The Court further held that the CNAS, which did not obtain the data from the data subjects, must inform them of the identity of the data controller, the purposes of the processing and the categories of data processed in accordance with Article 11(1) (a) to (c) (para. 42). In light of the facts of the case, the Court found that the applicants did not receive such information (para. 44). The Court further stated that the national provision and the Protocol do not meet the requirements of Article 11(2) or those of Article 13 and the Member State cannot rely on this exception to derogate from Article 11(1) (para. 45). Conclusion: Articles 10, 11 and 13 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the 3

4 processing of personal data and on the free movement of such data, must be interpreted as precluding national measures, such as those at issue in the main proceedings, which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing (Decision). 2. Judgment of the Court from 1 October 2105 in Case C-230/14 Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság., on the notion of establishment of the controller, applicable law, competent supervisory authority, duty to hear complaints and to cooperate, and power to impose penalties. Link to the judgment Facts of the case Weltimmo, a company registered in Slovakia, runs a property dealing website regarding Hungarian properties. In this regard, it processes the personal data of the advertisers. The advertisements published on the website are free of charge for the first month while after a fee is to be paid. With the expiry of the first month, many advertisers asked the company to have their adverts deleted as well as their personal data. Irrespective of the request, Weltimmo not only did not proceed with the deletion, but also charged the advertisers for the prices of the services and forwarded their personal data to debt collection agencies. The advertisers filed complaints before the Hungarian Data Protection Authority, which fined Weltimmo. The latter brought an action before the Administrative and Labour Court in Budapest and afterwards appealed the decision before the Supreme Court, which issued a preliminary ruling request to the EU Court of Justice on the interpretation of Article 4(1) and 28 (1), (3) and (6). Rulings of the Court Scope of application, notion of "establishment" The Court agrees with the opinion of the Advocate General in embracing a flexible rather than a formal definition of the "establishment". A data controller has an establishment, within the meaning of Directive 95/46 and particularly of Recital 19, wherever there is an effective and real exercise of the activity through stable arrangements (par. 29). Weltimmo developed two websites entirely written in Hungarian and regarding properties set in Hungary. Moreover, it did not carry out any activity at the place where it is formally registered and had changed the registered office from one State to another on several occasions. Lastly, the company opened a bank account in Hungary for recovering the debts, owned a letter box for everyday business affairs and has a formal representative in the same MS, who acted as an intermediary between the company itself and the advertisers; he also tried to negotiate the settlement of the unpaid debts. It appears then that Weltimmo, although formally registered in Slovakia, is carrying out its activity in Hungary (par ). In the light of the final goal pursued by the directive, which is effectively ensuring the protection of individuals personal data, even the presence of only one representative can, in some circumstances, suffice to represent stable arrangements if the same 4

5 representative acts with a sufficient degree of stability. The company is therefore held to pursue a real and effective activity in Hungary. For this reason, since according to Article 4(1)(a) the MS shall apply the national provision adopted pursuant to the directive, Hungarian national law will be applicable to the case (par. 41). Conclusion: Accordingly, Article 4(1)(a) of the Directive 95/46 must be interpreted as allowing the application of the DP provisions of a MS other than the MS in which the controller is registered, as long as it exercises a real and effective activity (also a minimal one) by means of stable arrangements (questions 1-6). Power of the national supervisory authority to impose penalties The facts proving the real establishment of Weltimmo in Hungary are for the referring court to be verified (par. 33). The supervisory authority of a MS to which a complaint has been submitted in relation to the processing of his personal data shall examine it, irrespective of the applicable law. However, if the DP authority at issue reaches the conclusion that provisions other than the national ones are to be applied at the case since no establishment is found, the supervisory authority will not be endowed of the all powers conferred in accordance with the law of the MS. While on one hand the list of powers of article 28 (3) should not be considered as exhaustive and the powers of intervention may include the power to impose fines (par 49), on the other hand the mentioned powers of intervention must be exercised in compliance with the principles of territorial sovereignty and therefore not outside the jurisdiction of the Member State (par 59-60). On these grounds, the authority could not impose penalties on the basis of the law of another MS, but should, in accordance with article 28 (6) of the directive, conversely request the supervisory authority of that MS whose law is applicable to act in this regard (question 7). Accordingly, it shall, in fulfilment of the duty of cooperation laid down in Article 28(6) of the directive, request the supervisory authority of that other Member State to first establish an infringement of that law and then to impose penalties, based, where necessary, on the information which the authority of the first Member State has transmitted to the authority of that other Member State (par. 57). Lastly, the Court states that the Hungarian term used in the provision which transposed the directive into the Hungarian Law, meaning technical manipulation of data, shall be interpreted as having the same meaning as processing of data within the meaning of the directive (question 8). 3. Judgment of the Court from 6 October 2015 in Case C-362/14 Maximillian Schrems v Data Protection Commissioner, joined party Digital Rights Ireland Ltd Commission adequacy decision does not prevent a supervisory authority from examining a claim that a third country does not ensure an adequate level of protection, DPA must handle complaints with due diligence, Commission Decision 2000/520 is invalid. Link to the judgment Facts of the case 5

6 Mr. Schrems lodged a complaint asking the Data Protection Commissioner to prohibit Facebook Ireland from transferring his personal data to the United States. He submitted that the country did not ensure an adequate level of protection of personal data because of the surveillance activities conducted by the public authorities. The Commissioner considered that he was not required to investigate the complaint because of the lack of evidence and because the adequacy of data protection is determined by Decision 2000/520. Mr. Schrems challenged the Commissioner's decision before the High Court which decided to ask the Court of Justice whether the Commissioner is bound by Community findings on the adequacy of protection in a third country or whether he can examine the claim of a person which contends that the level of protection is inadequate. The EDPS was invited by the Court to intervene in the oral hearing. 2 Main findings of the Court 3 Powers of national supervisory authorities The EDPS advised that independence under Article 8(3) of the Charter means that the Safe Harbor Decision cannot limit the power of DPAs to take action. The Court recalled that Article 28 of the directive, Article 8(3) of the Charter and Article 16(2) TFEU require the Member States to establish one or more public authorities responsible for monitoring, with complete independence, compliance with EU rules on the protection of individuals with regard to the processing of such data (para. 40). The Court further noted that the national supervisory authorities' powers do not extend to personal data processed outside of their Member State but it specified that the transfer of personal data from a Member State to a third country constitutes 'processing of personal data' (paras ) within its territory. Accordingly, the Court held that each national supervisory authority has the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down by Directive 95/46 (para. 47). The Court restated that Article 25 of the Directive makes clear that the finding that a third country ensures or not an adequate level of protection may be made by the Member States or by the Commission (para 50). Under Article 25(6) of the Directive, the Commission may adopt a decision stating that a third country ensures an adequate level of protection. This decision is binding on the Member States and all their organs (para. 51). For this reason, the Member States and their organs, including the national supervisory authorities, cannot adopt measures contrary to this decision until the decision is declared invalid by the Court (para 52). However, the Court stressed that such decision does not eliminate the powers of the national supervisory authorities with regard to the transfer of personal data to a third country subject of that decision (para. 54). It follows that the national supervisory authorities must be able to examine, with complete independence and due diligence, whether the transfer of data complained of 2 EDPS pleadings at oral hearings can be consulted at: 3 This summary builds upon the summary drafted by the coordinators of the International Transfers Subgroup of the Article 29 Working Party. 6

7 complies with the Directive even if the Commission has adopted an adequacy decision (para. 57). The Court explained that a claim by an individual that the law and practices of a third country do not ensure an adequate level of protection despite a Commission decision to the contrary questions whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals (para. 59). The Court recalled that it alone has the jurisdiction to review the compatibility of Union institutions acts, including Commission decisions (paras ) cf the Advocate General on this point. In a situation where the national supervisory authority comes to the conclusion that the arguments put forward in support of such a claim are unfounded and therefore rejects it, the person who lodged the claim must have access to judicial remedies enabling him to challenge such a decision adversely affecting him before the national courts. Those courts must stay proceedings and make a reference to the Court for a preliminary ruling on validity where they consider that one or more grounds for invalidity put forward by the parties or, as the case may be, raised by them of their own motion are well founded (para. 64). Where the national supervisory authority considers that the objections advanced by the person who has lodged a claim are well founded, it must be able to engage in legal proceedings, pursuant to the third indent of the first paragraph of Article 28 (3) of the Directive. It is incumbent upon the national legislature to provide for legal remedies enabling the national supervisory authority concerned to put forward the objections which it considers well founded before the national courts in order for them, if they share its doubts as to the validity of the Commission decision, to make a reference for a preliminary ruling for the purpose of examination of the decision s validity (para. 65). Conclusion: (...) Article 25(6) of Directive 95/46, read in the light of Articles 7, 8 and 47 of the Charter, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Decision 2000/520, by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection (para. 66). Validity of the Safe Harbour Decision The EDPS advised that the Safe Harbor Decision was never perfect but that the reach and scale of mass surveillance in the U.S. is now so serious that the Safe Harbor Decision may constitute a failure to respect the essence of Articles 7 and 8 of the Charter. In DRI the essence of the rights were respected because there was no obligation to regard content (art 7) and there were some safeguards laid down (art 8). Neither is the case here. In the view of the Court, the adequacy decision does not contain sufficient findings regarding the measure by which the United States ensures an adequate level of protection. The Court adopted a significant innovation of interpretation: according to Article 25(6) of Directive 95/46, the European Commission should consider the third 7

8 country's level of protection as essentially equivalent to the one guaranteed in the EU legal order in order to issue an adequacy decision and should moreover give duly reasoned justification for this. Even though the directive 95/46 does not contain a specific definition of the notion of "adequate level of protection" it does refer to the need of conducting an assessment "in the light of all circumstances surrounding a data transfer operation". With this regard, the Court clarifies that the term "adequate", if it does not stand for an identical level of protection to be ensured, at least refers to an equivalent level of protection to the one ensured by the European Union by virtue of the Directive 95/46 read in the light of the Charter. In the view of the Grand Chambre, even though the recipient country has adopted means to ensure adequacy which may be different from the ones used within the EU legal order, the same means must be practically ensuring an adequate, and then, equivalent level of protection as the EU does (par ). In this light, the European Commission is obliged to assess the content of all applicable rules resulting from domestic law or international commitments which are relevant for data transfer (par. 75). The Court clarifies that the European Commission is additionally in charge of periodically conducting checks on whether the finding may be still retained as factually and legal justified (par. 76). Notwithstanding the Court argues that there is no need for analysing the content of the SH principles, the Court takes the view that the reliability of a self - certification system essentially depends on the existence of an effective mechanism of both detection and supervision which would allow for any infringement to be detected and punished, this meeting the criterion of "adequacy". (par. 81) Firstly, SH principles are only applicable to self - certified US organizations receiving personal data from the European Union, not being binding for US public authorities as a consequence (par 82). Secondly, the adequacy assessed in the decision only refers to the provisions as implemented in accordance with the FAQs issued by the US Department of Commerce, without ever including findings related to the measure taken by the US to ensure the adequate and therefore equivalent level of the protection from a broader point of view (par. 83). Moreover, Annex I and IV, together combined, allow for interference in private life as long as reasons of national security and public interest require to do so: in this case, the lack of compliance with the SH principles will be justified on the grounds of the overriding legitimate interests established by US law, which must prevail on the same Safe Harbour principles, as to limit the mentioned interference with the fundamental rights or to any effective legal protection against interference of this kind (par ). Interference with private life is to be accompanied with a set of minimum safeguards, as established in the EU Charter. On the contrary, EC adequacy decision does not make any detailed reference to the safeguards which are taken by US to ensure adequacy (par.91).legislation which allows public authorities to access on a generalised basis the content of electronic communications must be considered as compromising the essence of the fundamental right to respect for private life as guaranteed by article 7 of the Charter. Similarly, legislation not granting effective legal remedies to access one's own personal data, to have data either rectified or erased, compromises the essence of fundamental right to effective judicial protection as guaranteed in article 47 of the Charter. However the Court made no ruling on respect for the essence of Article 8 of the Charter. 8

9 Conclusion: Article 1 of the Decision 2000/520 is declared invalid since it does not comply with article 25(6), requiring for the third recipient country to ensure an adequate level of protection by reasons of its domestic law or international commitments. Excess of power from the Commission The EDPS advised that independence under Article 8(3) of the Charter means that the Safe Harbor Decision cannot limit the discretion of DPAs to what action to take. According to the Court, Article 28 of the directive, to be read in the light of Article 8 of the Charter, enables and requires national supervisory authorities to examine, both with independence and due diligence, claims arising from individuals which may also raise questions on the compatibility of a EC adequacy findings with protection of fundamental rights law (par. 99). Article 3(1) of the adequacy decision makes the suspension of data flow to an organization having self - certified its adherence to the principles, possible only under restrictive conditions establishing a high threshold for intervention. In this sense, Article 3(1) must be read as hindering national supervisory authority from exercising the whole range of their powers under Article 28 of Directive 94/46 (par. 102). See the CJEU Press Release: This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems complaint with all due diligence. Conclusion: Article 3 of the Decision 2000/520 is declared as invalid for having the Commission exceeded the power conferred in Article 25(6) of the directive 95/46, depriving DPA from the power of diligently handling complaints in cases where compatibility of the EC adequacy decision is at issue. "As Articles 1 and 3 of the Decision 2005/520 are inseparable from Articles 2 and 4 of that decision and the annexes thereto, their invalidity affects the validity of the decision in its entirety. (...) It is to be concluded that Decision 2000/520 is invalid (paras )". 9

10 Link 4. Judgment of the Court from 16 July 2105 in Case C-615/13, ClientEarth and Pesticide Action Network Europe (PAN Europe) v European Food Safety Authority (EFSA) - right to access to documents of EU institutions, concept of personal data, conditions for transfer of personal data. Facts of the case The European Food Safety Authority established on 25 September 2009 a working group as to develop a guidance document on how to implement Article 8(5) of the Regulation No 1107/2009 concerning the placing of plant protection products on the market. The working group submitted a draft guidance document to two EFSA bodies (the Plant Protection Products and their Residues Panel and the Pesticide Steering Committee) whose members were also external experts. The working group then incorporated the comments made by the external experts and subjected the document to a public consultation, with also PAN Europe involved. On 10 November 2010 ClientEarth and PAN Europe jointly submitted to EFSA an application requesting access to the sets of documents on the preparation of the draft guidance document. On 1 December 2010 EFSA granted partial access to documents and after the request made by the applicants to reconsider its position, by decision of 10 February 2011 it confirmed that access to the documents was to be refused under the second subparagraph of Article 4(3) of Regulation 1049/2001. On April 2011 ClientEarth and PAN Europe brought an action for the annulment of the first decision, later extended also the second one. The General Court dismissed the action holding that the pleas were unfounded. ClientEarth and PAN Europe finally appealed against the General Court decision. With the first ground of appeal, ClientEarth and PAN Europe criticise the finding of the General Court, claiming a misapplication of the concept of "personal data" within the meaning of Article 2(a) of Regulation No 45/2001: in their view, an expert issuing a scientific opinion, in a professional capacity, is not covered by the concept of privacy (par ). By the second and third grounds of appeal, the appellants maintain that neither the General Court nor EFSA weighted the conflicting rights to transparency and to protection of privacy and personal data (par. 38) and that the General Court' dismissal of the various arguments as to establish the necessity of the disclosure of the information was in breach of the principle of proportionality (par. 39). The EDPS intervened before both Courts in favour of EFSA and against the applicants limitation of the notion of personal data to the scope of privacy. The rights of privacy and protection of personal data are separate and the right to data protection applies whenever personal data are processed. Main rulings of the Court On the concept of "personal data" 10

11 ClientEarth and PAN Europe substantially requested to know the identity of the authors of each comment made by the external experts to the draft guidance document (par.28). As the information acquired would make it possible to connect a specific comment to a particular expert, the information itself constitutes a set of personal data within the meaning of Article 2(a) of Regulation No 45/2001, being it related to an identified natural person (par. 29). "In so far as that information would make it possible to connect to one particular expert or another a particular comment, it concerns identified natural persons and, accordingly, constitutes a set of personal data, within the meaning of Article 2(a) of Regulation No 45/2001" (para 29). The characterization as personal data cannot be excluded: a) by the fact that the information is provided as a part of the professional activity (par. 30); b) by the circumstance that the identity of the experts and the comments were previously made public on the EFSA website; c) by the circumstance the persons concerned do or do not object (par ). On the conditions for transfer of personal data Where an application is made seeking access to personal data within the meaning of Article 2(a) of Regulation No 45/2001, the provisions of that regulation, and in particular Article 8(b) thereof, are applicable in their entirety (par.44) Under Article 8(b) of the Regulation No 45/2001, the transfer of personal data to recipients other than Community institutions and bodies is cumulatively subjected to the necessity of the transfer, established by the recipient, and to the assumption of no prejudice for the legitimate interests of the data subject (par ). The seeker of access shall establish the necessity of the transfer and then demonstrate it. The institution involved shall afterwards determine whether there is reason to assume that the transfer might jeopardize data subject's legitimate interests. In case it found no reason, then the access must be granted; conversely, if it founds reason for prejudice, it is for the institution to find the balance between the conflicting rights, as to establish whether to grant access or not (par. 47). As automatic priority cannot be conferred on the objective of transparency over the right to protection of personal data (judgment in Volker und Markus Schecke and Eifert, C-92/09 and C-93/09) the General Court held that the appellants had not established the necessity of the disclosure, since only a generic reference to the principle of transparency was made on their part (par ). A consideration of general nature is not sufficient in itself. The Advocate General argued that a lower requirement of necessity should be applicable in the case of professional activities. However, the Court noted that the appellants based their litigation on a precise accusation against EFSA, based on a precise study that showed that EFSA often retained experts linked to industrial lobbies (par. 53). Since the transparency of a decision-making process for the adoption of a measure as the guidance document (therefore with an impact on the activities of economic operators) contributes to that authority acquiring greater legitimacy towards the person directly involved, as well as accountability to citizens in a democratic system (par. 56), the acquisition of the information at issue was necessary so that the impartiality of these experts could be specifically assessed. Accordingly, the General Court was wrong to hold that the 11

12 arguments of the parties were not sufficient to establish the necessity of the transfer (par. 59). On the action before the General Court EFSA' allegation that the disclosure of the information would have been likely to undermine the privacy of the experts is based on a consideration of a general nature, not otherwise supported by any other specific element (par. 69). (...) while the authority concerned must assess whether the disclosure requested might have a specific and actual adverse effect on the interest protected (...), EFSA s allegation that the disclosure of the information at issue would have been likely to undermine the privacy and integrity of the experts concerned is a consideration of a general nature which is not otherwise supported by any factor which is specific to this case. On the contrary, such disclosure would, by itself, have made it possible for the suspicions of partiality in question to be dispelled or would have provided to experts who might be concerned with the opportunity to dispute, if necessary by available legal remedies, the merits of those allegations of partiality. (para. 69) Accepting such an unsupported claim by EFSA would mean it would apply to any situation where an authority of the European Union obtains opinion of experts prior to the adoption of a final measure having effects on economic operators. This outcome would be contrary to the requirement that exceptions to the right of access to documents held by the EU institutions must be interpreted strictly (par.70). Under Article 61(1) of the Statute of the CJEU when a judgment under appeal is set aside, the CJEU may issue final judgment in the matter if the state of the action permits the judgment. As the question of legitimate interest had not yet been considered at first instance, the Advocate General did not think that the state of the action permitted judgment by the Court of Justice. However the Court of Justice felt that the state of the action permitted it to set aside the judgment of the General Court and annul the decision of EFSA. Link 5. Judgment of the Court from 15 July 2015 in Case T-115/13 Dennekamp v Parliament access to documents relating to the affiliation of MEPs to the additional pension scheme Facts of the case Mr Dennekamp is a journalist who first requested access to documents relating to the affiliation of certain MEPs to the additional pension scheme on the basis of Regulation 1049/2001 in November His first application to the Court in Case T-82/09 was dismissed in December 2008 on the basis that he had failed to comply with the requirement to show necessity for the transfer under Article 8(b) of Regulation 45/2001, following the ruling by the Court of Justice in Case C-28/08 P, Bavarian Lager in June,

13 In his second initial application in September 2012, he submitted that there was an objective necessity within the meaning of Article 8(b) of Regulation 45/2001 for the personal data to be transferred relying on the existence of a broad public interest in transparency. Furthermore, he argued that there was no risk that the data subjects' legitimate interests would be prejudiced by disclosure of the data concerned because it would not affect their private interests. The application was refused on the ground that the applicant failed to demonstrate the necessity for the data to be transferred by referring exclusively to the public interest in transparency. In his confirmatory application, Mr Dennekamp applied again for access to the documents relying on the right of access to information and the right to freedom of expression. The European Parliament rejected the application on the basis of the exception relating to a risk of privacy and the integrity of the individual being undermined, as provided for in Article 4(1)(b) of the Regulation 1049/2011, on the grounds that those documents contained personal data within the meaning of Article 2(a) of Regulation 45/2001, disclosure of which would be contrary to that regulation, which must be applied in its entirety where the documents requested contain such data. The applicant seeks to annul the EP decision rejecting his confirmatory application. The EDPS supported the applicant in this case, as well as in the earlier Case T-82/09. The EDPS noted in particular that the personal data of MEPs was being processed within their public rather than their private sphere and that there was no reason to expect that transfer of the requested information would prejudice this lower standard of legitimate interest. Main findings of the Court The Court first noted that the names of 65 MEPs who were members of the additional pension scheme had been made public in previous rulings given by the Court and were therefore outside of the scope of the ruling (paras ). Infringement of Articles 11 and 42 of the Charter and error of law in application of Article 4(1)(b) of Regulation 1049/2001 read in conjunction with Article 8(b) of Regulation 45/2011 Legislative framework The Court stated that if an application for access to documents may result in the disclosure of personal data, the institution must apply all the provisions of Regulation 45/2001, and the full scope of the protection afforded to those data may not be limited as a result of the various rules and principles in Regulation 1049/2001 (para. 51). Article 8(b) of Regulation 45/2001 requires the institution to assess the necessity and proportionality of the request in light of the applicant's objective. Furthermore, the institution must examine whether the legitimate interests of the data subjects might be prejudiced by granting the request in light of the applicant's objective. For this reason, the institution must assess the justification for access to the documents given by the applicant (para. 54). Although this observation amounts to the recognition of an exception to Article 6(1) of Regulation 1049/2001, the Court ruled that is justified by the effet utile to be given to the provisions of Regulation 45/2001, in particular Article 8(b) (para. 55). 13

14 The Court stressed that the conditions to transfer personal data must be interpreted strictly. The condition of necessity is fulfilled where the applicant gives express and legitimate reasons showing that the transfer of personal data is the most appropriate of the possible measures for attaining the applicant's objective, and that it is proportionate to that objective (para. 59). The Court argued that this strict interpretation would not prevent any access to documents because it does not follow that a general justification, such as the public's right to information concerning the conduct of MEPs, cannot be taken into consideration (paras ). The Court summarized its findings as follows (para. 68): o the condition of necessity laid down in Article 8(b) of Regulation 45/2001 must be strictly interpreted; o it requires an examination in light of the objective pursued by the applicant, thereby restricting the scope of the rule on the absence of justification for an application for access; o the justification may be of a general nature (so long as it makes it possible to determine whether the transfer of data is the most appropriate of possible measures see below); o Regulation 1049/2001 must not be rendered devoid of purpose by an interpretation of the relevant provisions that would mean that legitimate disclosure could never have the aim of full disclosure to the public. Application to the facts of the case In the contested decision, the EP found that the public interest in the expenditure of public money, including the financial benefits enjoyed by the MEPs, was abstract and very general. Moreover, the EP asserted that the applicant failed to prove the necessity to receive the specific personal data requested to achieve his aim because the Bureau, and not all members of the schemes, was in charge of making decisions with regard to the additional pension scheme and because he failed to identify a particular and specific risk of conflict of interest (para. 73). *Right to information and right to freedom of expression The Court held that relying on the right to information and the right to freedom of expression is not sufficient to establish that the transfer of the names of the MEPs participating in the additional pension scheme is the most appropriate of the possible measures to inform the public and enable it to take part in a debate on the legitimacy of the scheme or that it is proportionate to it (paras. 81 and 87). For this reason, Articles 11 and 42 of the Charter have not been infringed (para. 87). The applicant merely asserted (...) that the measures designed to provide public control over public expenditure in the context of the additional pension scheme (...) did not protect the fundamental rights he had invoked (...) and that those measures could not, therefore, justify the non-disclosure of the data at issue. It must be noted that it cannot be determined from those points in what respect the transfer of the names of MEPs participating in the scheme is the most appropriate measure for attaining the applicant s objective, or how it is proportionate to that objective. The mere assertion that that transfer would best ensure the protection of fundamental 14

15 rights cannot be considered to have been the result of even a limited analysis of the effects and implications of the various measures that might be adopted in order to meet the applicant s objectives. (para. 83) * Bringing to light the possible conflicts of interests of MEPs The applicant also argued that access to the documents is necessary to determine whether MEPs' voting behaviour with regard to the additional pension scheme is influenced by their financial interests and the Court identified the objective of the applicant as the bringing to light of possible conflicts of interests of MEPs (paras ). It described this conflict as the possibility for MEPs to amend the additional pension scheme or express their views on it in such a way as to promote their interests as beneficiaries of the scheme (para. 93). a) Necessity The Court held that the transfer of the names is the most appropriate measure to determine whether the interests that MEPs have in the scheme can influence their voting behaviour and it is proportionate to it (para. 94). However, the disclosure of the names is not sufficient to reach this objective and it is also necessary to know which MEPs voted on the scheme (para. 95). The Court noted that it is sufficient to demonstrate the existence of a possible conflict of interest: 'For the purpose of bringing to light the potential conflicts of interests of MEPs voting on the additional pension scheme, the applicant was, as a matter of law, entitled merely to show that they were in that situation because of their dual role as MEPs and as members of the scheme. The concept of a conflict of interest relates to a situation in which the interest identified may, in the eyes of the public, appear to influence the impartial and objective performance of official duties and does not, therefore, require the lack of any impartial performance of the duties in question to be demonstrated' (para. 110). The Court found that the EP made a manifest error of assessment when it found that the applicant had not established the necessity to transfer the names of the MEPs who had voted on the scheme in light of the aim of bringing to light potential conflicts of interests (para. 113). b) Prejudice to the legitimate interests of the data subjects (personal data falling within the public or the private sphere of the MEPs) The Court recalled that an EU institution which receives a request of access to documents including personal data must refuse if there is the slightest reason to assume that the data subjects' legitimate interests would be prejudiced (para. 117). The Court noted that it must be taken into account that public figures have generally already accepted that some of their personal data will be disclosed to the public (para. 119). For this reason, it is necessary to identify whether the personal data requested falls within the public or private sphere of the MEPs. In that regard, the Court found that the personal data concerned falls within the public sphere of the MEPs because it is necessary to be an MEP in order to join the additional pension scheme and because of the significant financial and legal commitment of the Parliament to the scheme (paras ). 15

16 The legitimate interests of the MEPs must therefore be subject to a lesser degree of protection than the one that would be afforded to interests falling within the private sphere (para. 124). The Court further held that the legitimate interests of the MEPs who are members of the additional pension scheme cannot be prejudiced by the transfer of the personal data at issue in view of the importance of the interests invoked which are intended to ensure the proper functioning of the European Union by increasing the confidence that citizens may legitimately place in the institutions (para. 126). The Court warned against the incorrect assertion of the EP that there is a legally binding presumption favouring the legitimate interests of the data subjects (para. 127). The Court declared that the EP made a manifest error of assessment in finding that the legitimate interests of MEPs participating in the additional pension scheme who took part in a vote on it might be prejudiced by the transfer of their names (para. 130). However, the Court specified that this finding is limited to those members who took part in the votes on the pension scheme (para. 131). Failure to state reasons The Court explained that the institution must, in principle, explain how disclosure could specifically and actually undermine the protected interests (para. 133). In this case, the Court held that despite the relatively succinct reasoning of the EP in the contested decision, the EP did not fail to state reasons (para. 141). Conclusion: (...) 2. Annuls Decision A(2012) in so far as access is thereby refused to the names of Members participating in the additional pension scheme of the European Parliament who, as members of the Parliament s plenary, actually took part in the votes on that additional pension scheme held on 24 April 2007, 22 April 2008 and 10 May 2012; Link 6. Request for a preliminary ruling from the Raad van State (Netherlands) lodged on 24 April 2015 in Case C-192/15 Rease and Wullems - notion of 'making use of equipment' and scope of powers of the DPA in Directive 95/46/EC Questions referred: (1) Does an instruction to employ equipment for the processing of personal data within the territory of a Member State, issued outside the EU by a controller, within the meaning of Article 2(d) of Directive 95/46/EC, to a detective agency established within the EU, come within the notion of making use of equipment within the meaning of Article 4(1)(c) of that directive? (2) Does Directive 95/46/EC, in particular Article 28(3) and (4) thereof, given the objective of that directive, allow the national authorities the latitude, when enforcing the protection of 16

17 individuals by the supervisory authorities provided for in that directive, to set priorities which result in such enforcement not taking place in the case where only an individual or a small group of persons submits a complaint alleging a breach of that directive? Link 7. Request for a preliminary ruling from the Kammarrätten i Stockholm (Sweden) lodged on 4 May 2015 in Case C-203/15 Tele2 Sverige AB v Post- och telestyrelsen - compatibility of the retention of traffic data with the eprivacy Directive and the Charter Questions referred: (1) Is a general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime compatible with Article 15(1) of Directive 2002/58/EC, taking account of Articles 7, 8 and 15(1) of the Charter? (2) If the answer to question 1 is in the negative, may the retention nevertheless be permitted where: (i) access by the national authorities to the retained data is determined as described in this request for a preliminary ruling, and (ii) security requirements are regulated as described in the present request, and (iii) all relevant data are to be retained for six months, calculated as from the day the communication is ended, and subsequently deleted as described in the present request? Link 8. Request for a preliminary ruling from the Corte Suprema di Cassazione (Italy) lodged on 23 July 2015 in Case C-398/15 Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v Salvatore Manni - right to erasure - limits on the disclosure of personal data through commercial registers. The applicant in the main proceedings is an entrepreneur who was declared bankrupt in This information is still available in a public register and this causes harm to his business. The Italian Corte di Cassazione asks whether Directive 95/46 (Art 6 (e), in particular) implies a time limit for publications of personal data in a public register. Information normally remains forever in these types of registers, accessible to everyone, as also required under EU law (Directive 68/151). The second question asks whether Directive 68/151 allows any limitations to publication. Questions referred: (1) Must the principle of keeping personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or 17